Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 2179 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Block Inter-VLAN Traffic DMZ

xXTim150Xx

Hello everyone,

I have a VLAN 10 which is my DMZ and I want to disable/block access to my internal Network (VLAN 1).

I can ping every Device from my DMZ and access every LAN-Device.

I already tried to add a BLOCK Rule, but my Sophos seems to ignore it.

Anybody got an Idea how to block these?



This thread was automatically locked due to age.
Parents
  • 0

    Hello xXTim150Xx

    is there another router between the VLAN 10 (DMZ) and VLAN 1 (LAN)?

    Are the interfaces defined in the correct zones?

    Sophos XG needs rules for all internal routing.

    You can try to figure out what's happening by switching on logging on each rule and tracing a communication from DMZ to LAN in the logfile.


    Best regards,
    BeEf

  • 0 in reply to BeEf

    The interfaces are all in their own Zones (LAN, DMZ).

    There is no other router in my network. 

    The sophos is also my gateway which is virtualized on proxmox.

    All Ethernet Interfaces are connected to the Sophos are bridged with OVS

    If I do a traceroute, the way is like: Gateway VLAN10 → Host Network LAN

  • 0 in reply to xXTim150Xx

    Can you show me the interace definition? Are there bridges involved?

    Unset the policy filter and go through the firewall rules 1 by 1 and do not care about the names. 
    There could also be a zone Any or you mixed some things up.

    As this is virtualized the cause of the could also lie outside of the firewall or in the physical-virtual "wiring". Without really knowing what's wrong my gut feeling is that this is the reason with a probability of >>50%.

Reply
  • 0 in reply to xXTim150Xx

    Can you show me the interace definition? Are there bridges involved?

    Unset the policy filter and go through the firewall rules 1 by 1 and do not care about the names. 
    There could also be a zone Any or you mixed some things up.

    As this is virtualized the cause of the could also lie outside of the firewall or in the physical-virtual "wiring". Without really knowing what's wrong my gut feeling is that this is the reason with a probability of >>50%.

Children